[pve-devel] r5356 - in pve-manager/pve2: . bin debian lib/PVE www www/manager www/templates

Tue Jan 11 16:04:52 CET 2011

Author: dietmar
Date: 2011-01-11 16:04:52 +0100 (Tue, 11 Jan 2011)
New Revision: 5356

Removed:
   pve-manager/pve2/lib/PVE/AuthCookieHandler.pm
   pve-manager/pve2/www/startup.pl
Modified:
   pve-manager/pve2/ChangeLog
   pve-manager/pve2/bin/pvecert
   pve-manager/pve2/debian/control.in
   pve-manager/pve2/lib/PVE/Cluster.pm
   pve-manager/pve2/lib/PVE/Makefile.am
   pve-manager/pve2/lib/PVE/REST.pm
   pve-manager/pve2/www/Makefile.am
   pve-manager/pve2/www/manager/startup.pl
   pve-manager/pve2/www/templates/pve.conf.in
Log:
	* lib/PVE/REST.pm (create_ticket): use PVE::AccessControl to
	create/&verify tickets

	* lib/PVE/AuthCookieHandler.pm: removed file



Modified: pve-manager/pve2/ChangeLog
===================================================================

--- pve-manager/pve2/ChangeLog	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/ChangeLog	2011-01-11 15:04:52 UTC (rev 5356)
@@ -1,3 +1,10 @@
+2011-01-11  root  <root at maui.maurer-it.com>
+
+	* lib/PVE/REST.pm (create_ticket): use PVE::AccessControl to
+	create/&verify tickets
+
+	* lib/PVE/AuthCookieHandler.pm: removed file
+
 2010-08-27  Proxmox Support Team  <support at proxmox.com>
 
 	* bin/pvesh (list_dir): do not display all data - instead display

Modified: pve-manager/pve2/bin/pvecert
===================================================================
--- pve-manager/pve2/bin/pvecert	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/bin/pvecert	2011-01-11 15:04:52 UTC (rev 5356)
@@ -5,6 +5,7 @@
 use Getopt::Long;
 use PVE::RPCEnvironment;
 use PVE::INotify qw(read_file);
+use PVE::AccessControl;
 
 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
 
@@ -35,29 +36,10 @@
 # make sure we have a CA
 my $force = PVE::Cluster::gen_pveca_cert();
 
+$force = 1 if $opt_force;
+
 PVE::Cluster::gen_pve_ssl_cert ($force, $hostname);
 
-exit 0;
+PVE::AccessControl::cond_create_auth_key();
 
-eval { 
-    # make sure we have a private key
-    PVE::Cluster::gen_pve_ssl_key();
-
-    # make sure we have a CA
-    my $force = PVE::Cluster::gen_pveca_cert();
-
-    $force = 1 if $opt_force;
-
-    my $cinfo = PVE::Cluster::clusterinfo();
-
-    PVE::Cluster::gen_pve_ssl_cert ($force, $cinfo);
-};
-
-my $err = $@;
-
-if ($err) {
-    print STDERR "ERROR: $err";
-    exit (-1);
-}
-
 exit (0);

Modified: pve-manager/pve2/debian/control.in
===================================================================
--- pve-manager/pve2/debian/control.in	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/debian/control.in	2011-01-11 15:04:52 UTC (rev 5356)
@@ -3,7 +3,7 @@
 Section: admin
 Priority: optional
 Architecture: all
-Depends: perl5, libtimedate-perl, apache2-mpm-prefork, libauthen-pam-perl, libintl-perl, rsync, libapache-authcookie-perl, libapache2-request-perl, libjson-perl, libdigest-sha1-perl, libio-stringy-perl, vncterm, qemu-server (>= 1.1-1), libwww-perl, wget, libnet-dns-perl, vlan, ifenslave-2.6 (>= 1.1.0-10), liblinux-inotify2-perl, debconf (>= 0.5) | debconf-2.0, libjs-prototype (>= 1.6.0.3-1), netcat-traditional, pve-cluster, libpve-common-perl, libpve-storage-perl, libterm-readline-gnu-perl, libhttp-request-params-perl, libpve-access-control
+Depends: perl5, libtimedate-perl, apache2-mpm-prefork, libauthen-pam-perl, libintl-perl, rsync, libapache2-request-perl, libjson-perl, libdigest-sha1-perl, vncterm, qemu-server (>= 1.1-1), libwww-perl, wget, libnet-dns-perl, vlan, ifenslave-2.6 (>= 1.1.0-10), liblinux-inotify2-perl, debconf (>= 0.5) | debconf-2.0, libjs-prototype (>= 1.6.0.3-1), netcat-traditional, pve-cluster, libpve-common-perl, libpve-storage-perl, libterm-readline-gnu-perl, libhttp-request-params-perl, libpve-access-control
 Conflicts: netcat-openbsd
 Maintainer: Proxmox Support Team <support at proxmox.com>
 Description: The Proxmox Virtual Environment

Deleted: pve-manager/pve2/lib/PVE/AuthCookieHandler.pm
===================================================================
--- pve-manager/pve2/lib/PVE/AuthCookieHandler.pm	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/lib/PVE/AuthCookieHandler.pm	2011-01-11 15:04:52 UTC (rev 5356)
@@ -1,120 +0,0 @@
-package PVE::AuthCookieHandler;
-
-use strict;
-
-use Carp;
-use CGI '3.12';
-use mod_perl2 '1.9922';
-
-use Apache::AuthCookie::Util;
-use Apache2::RequestRec;
-use Apache2::RequestUtil;
-use Apache2::Log;
-use Apache2::Access;
-use Apache2::Response;
-use Apache2::Util;
-use APR::Table;
-use Apache2::Const qw(:common M_GET HTTP_FORBIDDEN HTTP_MOVED_TEMPORARILY);
-use URI::Escape;
-use Digest::SHA1;
-use PVE::SafeSyslog;
-use PVE::Utils;
-use base qw(Apache2::AuthCookie);
-use Encode;
-
-my $secret = (split (/\s/, `md5sum /etc/pve/pve-ssl.key`))[0];
-
-sub sign_soap_ticket {
-    my ($ticket) = @_;
-
-    my ($username, $group, $time, $mac) = split /::/, $ticket;
-
-    my $digest = Digest::SHA1::sha1_hex($username, $group, $time, $mac, $secret);
-
-    return "${ticket}::$digest";
-}
-
-sub authen_cred {
-    my $self = shift;
-    my $r = shift;
-    my ($username, $password) = @_;
-
-    # login.pl encodes data in uft-8
- 
-    my $ticket;
-    eval { $ticket = PVE::ConfigClient::request_ticket ($username, $password); };
-    my $err = $@;
-
-    if ($err) {
-	syslog ('err', "login failure: $err");
-	return undef;
-    }
-
-    return sign_soap_ticket ($ticket);
-}
-
-sub authen_ses_key {
-    my $self = shift;
-    my $r = shift;
-    my $session_key = shift;
-
-    my $uri = $r->uri;
-
-    my ($username, $group, $age, $mac) = PVE::Utils::verify_web_ticket ($secret, $session_key);
-
-    if ($username && $group) {
-
-	# update session key
-	# - but not for web services
-	# - only if older than 2 minutes
-	if ($age > 120 && $uri !~ m|^/ws/|) {
-	    syslog ('info', "update ticket");
-
-	    my $ticket;
-	    eval { 
-		$ticket = PVE::ConfigClient::update_ticket ($session_key); 
-		$session_key = sign_soap_ticket ($ticket);
-		$self->send_cookie ($r, $session_key);
-	    };
-	    my $err = $@;
-
-	    syslog ('err', "update ticket failed: $err") if $err;
-	}
-
-	return $username;
-    }
-
-    return undef;
-}
-
-sub group {
-    my ($self, $r, $args) = @_;
-
-    my $cookie = $self->key ($r);
-
-    my ($username, $group) = split /::/, $cookie;
-
-    if ($args eq $group) {
-	return OK;
-    }
-
-    return FORBIDDEN;
-}
-
-
-sub login_form {  
-  my ($self, $r) = @_;
-
-  my $uri = $r->uri;
-
-  # no login for for web services
-  if ($uri =~ m|^/ws/|) {
-      my $code = AUTH_REQUIRED;
-      $r->custom_response($code, '');
-      return $code;
-  }
-
-  return $self->SUPER::login_form ($r);
-}
-
-1;

Modified: pve-manager/pve2/lib/PVE/Cluster.pm
===================================================================
--- pve-manager/pve2/lib/PVE/Cluster.pm	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/lib/PVE/Cluster.pm	2011-01-11 15:04:52 UTC (rev 5356)
@@ -18,7 +18,7 @@
 my $pveca_key_fn = "$basedir/priv/pve-root-ca.key";
 my $pveca_srl_fn = "$basedir/priv/pve-root-ca.srl";
 my $pveca_cert_fn = "$basedir/pve-root-ca.pem";
-my $pvessl_key_fn = "$basedir/local/priv/pve-ssl.key";
+my $pvessl_key_fn = "$basedir/local/pve-ssl.key";
 my $pvessl_cert_fn = "$basedir/local/pve-ssl.pem";
 
 sub gen_local_dirs {
@@ -40,12 +40,9 @@
     
     return if -f $pveca_key_fn;
 
-    my $old_umask = umask();
     eval {
-	umask (0177);
 	PVE::Utils::run_command (['openssl', 'genrsa', '-out', $pveca_key_fn, '1024']);
     };
-    umask ($old_umask);
 
     die "unable to generate pve ca key:\n$@" if $@;
 }
@@ -88,8 +85,7 @@
 sub update_serial {
     my ($serial) = @_;
 
-    my $old_umask = umask();
-    system ("echo '$serial' > '$pveca_srl_fn'");
+    PVE::Tools::file_set_contents($pveca_srl_fn, $serial);
 }
 
 sub gen_pve_ssl_cert {

Modified: pve-manager/pve2/lib/PVE/Makefile.am
===================================================================
--- pve-manager/pve2/lib/PVE/Makefile.am	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/lib/PVE/Makefile.am	2011-01-11 15:04:52 UTC (rev 5356)
@@ -8,7 +8,6 @@
 	APIDaemon.pm		\
 	REST.pm			\
 	SourceFilter.pm		\
-	AuthCookieHandler.pm	\
 	URLRewrite.pm		\
 	I18N.pm			\
 	HTMLUtils.pm		\

Modified: pve-manager/pve2/lib/PVE/REST.pm
===================================================================
--- pve-manager/pve2/lib/PVE/REST.pm	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/lib/PVE/REST.pm	2011-01-11 15:04:52 UTC (rev 5356)
@@ -2,7 +2,9 @@
 
 use warnings;
 use strict;
+use Digest::SHA1 qw(sha1_base64);
 use PVE::SafeSyslog;
+use PVE::Tools;
 use PVE::API2;
 use Apache2::Const;
 use CGI;
@@ -13,12 +15,15 @@
 use HTTP::Status qw(:constants :is status_message);
 use HTML::Entities;
 use PVE::JSONSchema;
+use PVE::AccessControl;
 
 use Data::Dumper; # fixme: remove
 
 my $realm = 'PVE API Server';
 my $cookie_name = 'PVEAuthCookie';
 
+my $secret;
+
 my $baseuri = "/api2";
 
 # http://perl.apache.org/docs/2.0/api/Apache2/SubProcess.html
@@ -31,24 +36,24 @@
     return $cookie;
 }
 
-sub verify_ticket {
-    my ($ticket) = shift;
+sub create_ticket {
+    my ($user, $pw) = @_;
 
-    if ($ticket eq "root::root::") {
-	return ("root", 10);
-    }
+    my $euid = $>;
 
-    return undef;
-}
+    my $ticket;
+    eval {
+	$user = PVE::AccessControl::authenticate_user($user, $pw);
+	$ticket = PVE::AccessControl::assemble_ticket($user);
+    };
+    my $err = $@;
 
-sub create_ticket {
-    my ($user, $pw) = @_;
+    if ($err) {
+	syslog('err', $err);
+	return undef;
+    }
 
-    if ($user eq 'root' and $pw eq 'admin') {
-	return "root::root::";
-    } 
-
-    return undef;
+    return $ticket;
 }
 
 sub extract_auth_cookie {
@@ -273,11 +278,11 @@
     }
 
     my ($username, $age);
-    ($username, $age) = verify_ticket ($ticket) if $ticket;
+    ($username, $age) = PVE::AccessControl::verify_ticket($ticket, 1) if $ticket;
 
     return { status => HTTP_UNAUTHORIZED } if !($ticket && $username);
 
-    syslog ('info', "GOT $method $abs_uri VALID TICKET $ticket");
+    #syslog ('info', "GOT $method $abs_uri VALID TICKET $ticket");
     
     my $uri_param = {};
     my ($handler, $info) = PVE::API2->find_handler($method, $rel_uri, $uri_param);

Modified: pve-manager/pve2/www/Makefile.am
===================================================================
--- pve-manager/pve2/www/Makefile.am	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/www/Makefile.am	2011-01-11 15:04:52 UTC (rev 5356)
@@ -2,11 +2,6 @@
 
 SUBDIRS = templates images ext css manager
 
-bin_SCRIPTS = 			\
-	startup.pl
-
-bindir = ${WWW_BASEDIR}
-
 install-data-hook:
 	chown -R www-data:www-data ${DESTDIR}${WWW_BASEDIR}
 

Modified: pve-manager/pve2/www/manager/startup.pl
===================================================================
--- pve-manager/pve2/www/manager/startup.pl	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/www/manager/startup.pl	2011-01-11 15:04:52 UTC (rev 5356)
@@ -28,15 +28,24 @@
 
 use PVE::pvecfg;
 use PVE::REST;
-use PVE::Config;
+use PVE::INotify;
+use PVE::RPCEnvironment;
 
 sub childinit {
     syslog ('info', "Starting new child $$");
+    PVE::INotify::inotify_init();
+    PVE::RPCEnvironment->init('pub');
+
     PVE::Config::inotify_init();
 }
 
+sub childexit {
+    syslog ('info', "Finish child $$");
+}
+
 my $s = Apache2::ServerUtil->server;
 $s->push_handlers(PerlChildInitHandler => \&childinit);
+$s->push_handlers(PerlChildExitHandler => \&childexit);
 
 1;
 

Deleted: pve-manager/pve2/www/startup.pl
===================================================================
--- pve-manager/pve2/www/startup.pl	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/www/startup.pl	2011-01-11 15:04:52 UTC (rev 5356)
@@ -1,51 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-
-use PVE::SafeSyslog;
-
-use ModPerl::Util (); #for CORE::GLOBAL::exit
-
-use Apache2::RequestRec ();
-use Apache2::RequestIO ();
-use Apache2::RequestUtil ();
-use Apache2::Access;
-use Apache2::Response;
-use Apache2::Util;
-  
-use Apache2::ServerUtil ();
-use Apache2::Connection ();
-use Apache2::Log ();
-  
-use APR::Table ();
-  
-use ModPerl::Registry ();
-  
-use Apache2::Const -compile => ':common';
-use APR::Const -compile => ':common';
-
-initlog ('proxwww', 'daemon');
-
-use HTML::Entities;
-use PVE::pvecfg;
-use PVE::AuthCookieHandler;
-use PVE::REST;
-use PVE::INotify;
-use PVE::RPCEnvironment;
-
-sub childinit {
-    syslog ('info', "Starting new child $$");
-    PVE::INotify::inotify_init();
-    PVE::RPCEnvironment->init('pub');
-}
-
-sub childexit {
-    syslog ('info', "Finish child $$");
-}
-
-my $s = Apache2::ServerUtil->server;
-$s->push_handlers(PerlChildInitHandler => \&childinit);
-$s->push_handlers(PerlChildExitHandler => \&childexit);
-
-1;
-

Modified: pve-manager/pve2/www/templates/pve.conf.in
===================================================================
--- pve-manager/pve2/www/templates/pve.conf.in	2011-01-11 14:42:40 UTC (rev 5355)
+++ pve-manager/pve2/www/templates/pve.conf.in	2011-01-11 15:04:52 UTC (rev 5356)
@@ -68,7 +68,7 @@
     SSLEngine on
     SSLProtocol all -SSLv2
     SSLCertificateFile @PROXMOX_ETC@/local/pve-ssl.pem
-    SSLCertificateKeyFile @PROXMOX_ETC@/local/priv/pve-ssl.key
+    SSLCertificateKeyFile @PROXMOX_ETC@/local/pve-ssl.key
 
     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)


